Zip File containing Masked exe Sends CBT Locker Ransomware

NOTES:
This Zip file was found on Malwr.com. Below is the traffic associated with the infection.

ASSOCIATED IP ADDRESSES and DOMAINS:

  • 193.23.244.244 – HTTPS – Germany, AS50472 Chaos Computer Club e.V.
  • 82.94.251.220 – http://zsn5qtrgfpu4tmpg.onion.lt/
  • 194.150.168.74 – HTTPS – Germany, AS250 AS250.net Foundation

 

Shown above: Post infection traffic to C2

 

Shown above: Zip file containing .exe file masked as a .pdf

 

Shown above: CBT Locker start-up location using a .pif file to point to payload. Information about .pif file extensions can be found on www.webopedia.com

 

Shown above: CBT Ransom instructions

 

2016-04-21-cb6Shown above: CBT Locker allowing decryption of 5 random files

 

Shown above: CBT Locker successful decryption of five files

 

Shown above: CBT Locker connecting to server to retrieve private key

 

Shown above: CTB Locker requesting $840.00 US currency for decryption of files

 

Shown above: Ransom notes placed in directories of encrypted files. Files were encrypted with .mskjxwn file extension.

 

Shown above: CBT Locker file details

 

PAYLOAD FROM MALICIOUS ZIP FILE:

2016-04-21-pmzuyfk.exe
Virus Total Link